At Networking Field Day 11 I had the privilege of visiting Skyport Systems in Mountain View, CA and hearing first hand about their product offering, SkySecure. At first I thought Doug Gourlay was talking about some next-gen firewall until I realized that the solution itself included the X86 virtualization.

Let’s start with the definition from the Skyport Systems website:

The SkySecure System is designed to host critical and exposed application workloads that are the highest priority for the business to protect. The solution is an implementation of hyper-secured infrastructure that integrates compute, security, virtualization and policy in a pre-configured, managed infrastructure platform. The components listed below operate as a single turn-key system inclusive of all necessary software and hardware. This allows the system to maintain a secure configuration throughout its existence by providing embedded, layered, and compartmentalized security starting at the point of manufacture and verified continually throughout its existence.

Let me boil that down, if just for me. In short SkySecure is a near turn-key ultra secure virtualization platform (based on Xen) relying on hardware based security IO co-processors and Trusted Hardware Platform (TPM) chips to validate the integrity of the system. It provides network microsegmentation along with per-VM firewall and DMZ capabilities among it’s many features.

One of the most alluring features to me with experience in Healthcare and Retail industries is the clientless footprint of the solution on the actual guest VM. There’s literally nothing to install onto the Windows or Linux guest VM, no management agent, no firewall or proxy agent, nothing. With fairly stringent regulations around HIPAA and PCI compliance the ability to secure a system from the rest of the network without touching the system itself is very useful indeed. This is especially useful when looking at ShieldWeb

The presentation included a memorable quote from a comment made to a Brian Krebs story titled, Target Hackers Broke in Via HVAC Company. The quote, “If you think technology can fix security, you don’t understand technology and you don’t understand security.”, really defines the challenges facing IT with respect to security. In my opinion security is always a delicate balance between completely open and completely locked down. The users would like it completely open while the security professionals and auditors would like it completely locked down. It’s important to strike an even balance and I would argue that Skyport Systems has a solution that can help provide that balance.

In the age of whitebox servers, SkySecure is a highly specialized solution that includes hardware, software and management components that can be leveraged to secure extremely critical applications and highly sensitive systems.

As a disclaimer I received no compensation for my attendance of Networking Field Day 11 from Gestalt IT or any of the sponsors. Gestalt IT did provide for my travel arrangements, hotel accommodations and meals while in Santa Clara, CA.

We had a lively round table debate about “how much security is enough?” during Networking Field Day 11. It’s certainly not a pure networking question which some in the room debated is no longer, or perhaps has never been, the network engineer’s responsibility, but a large number of networking professionals these days are still charged with keeping the digital landscape clear of threats within their employers networks.

The argument put forth was essentially that it is cheaper for companies to take the data breach hit than feed the ever growing IT security budgets because there are no penalties or little downsides for the many business that are involved in what has become a daily occurrence of customer and/or credit card data theft from a resulting data breach. Greg suggests that companies might be better suited investing in a good public relations firm to help manage any public crisis that might arise. I wouldn’t agree that there aren’t any downsides although I would reluctantly agree that large businesses appear to be emerging relatively unscathed from these incidents. The emergence of data breach insurance, also known as cyber liability insurance, gives additional credence that large business look at security and data breaches as a simple math problems.

In short the financial penalty for losing your customer data doesn’t justify the IT security spend needed to actually sure the the data. So it’s cheaper for large businesses to essentially take the financial hit for a data breach rather than spend the considerable resources need to secure the data, application or solution.

There’s certainly validity to the overall point that there’s little motivation for large businesses to spend significant resources on overall IT security. In an article entitled, “Why companies have little incentive to invest in cybersecurity” by Benjamin Dean, Benjamin provides numerous facts and supporting evidence to suggest that there’s little motivation for large businesses to heavily invest in protecting customer information. Benjamin provides data from both the Target and Home Depot breaches that supports the argument and ultimately ponders if additional governmental oversight will be needed to close the loop.

I would counter with this point, when has any large business spent any more than it absolutely needed on anything. I can’t tell you how often I’ve stood in front of a budget committee and been told that I’ll just need to make do with the capital or operating funds that I have available no matter the strategic importance to the business operation or ROI.

What do you think?

Is additional government oversight needed to get large business to take more responsibility?

Here’s a look at a few different articles and posts that caught me eye over the past few weeks…

Articles

Network Field Day #NFD11 by Dominik Pickhardt – Dominik will be attending Network Field Day 11 this January 2016 in San Jose, CA. It just happens that I’ve also been invited to join the gang in Silicon Valley on January 19th – 22nd. You find more information over on the Tech Field Day website.

A free, almost foolproof way to check for malware by Roger A. Grimes – A great article describing how to easily test a Windows client to see if it’s infected with some malware. I’ve recently found myself doing quite a bit of security forensics analyzing various systems and images.

Will Let’s Encrypt threaten commercial certificate authorities? by Larry Seltzer – Let’s Encrypt is a new free Certificate Authority looking to make publicly signed certificates available for free to anyone. The stated goal of the organization is to help secure the Internet by offering free SSL certificates to anyone. The certificates are only valid for 90 days, a significant caveat and differentiator with the commercial certificate authorities.

There’s a lot of diversity in the vendors so I’m really looking forward to the presentations and discussions.

I’m also looking forward at the opportunity to meet Dominik of Avaya networking fame from Germany in person. Dominik has essentially been a partner in moderating the Network Infrastructure Forums for the past 4+ years. I’ve spoken to Dominik many times over Skype and we’ve recorded a few podcasts together (story for another time) but I’m really excited to finally meet him in person.